——————————————————————————–
Fedora Update Notification
FEDORA-2015-11795
2015-07-17 23:30:43
——————————————————————————–

Name : subversion
Product : Fedora 21
Version : 1.8.13
Release : 7.fc21
URL : http://subversion.apache.org/
Summary : A Modern Concurrent Version Control System
Description :
Subversion is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a
hierarchy of files and directories while keeping a history of all
changes. Subversion only stores the differences between versions,
instead of every complete file. Subversion is intended to be a
compelling replacement for CVS.

——————————————————————————–
Update Information:

This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.

Three security vulnerabilities are fixed in this update:

* CVE-2015-0202: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt
* CVE-2015-0248: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt
* CVE-2015-0251: https://subversion.apache.org/security/CVE-2015-0251-advisory.txt

In addition, the following changes are included in the Subversion 1.8.13 update:

**Client-side bugfixes:**
* ra_serf: prevent abort of commits that have already succeeded
* ra_serf: support case-insensitivity in HTTP headers
* better error message if an external is shadowed
* ra_svn: fix reporting of directory read errors
* fix a redirect handling bug in ‘svn log’ over HTTP
* properly copy tree conflict information
* fix ‘svn patch’ output for reordered hunks http://subversion.tigris.org/issues/show_bug.cgi?id=4533
* svnrdump load: don’t load wrong props with no-deltas dump http://subversion.tigris.org/issues/show_bug.cgi?id=4551
* fix working copy corruption with relative file external http://subversion.tigris.org/issues/show_bug.cgi?id=4411
* don’t crash if config file is unreadable
* svn resolve: don’t ask a question with only one answer
* fix assertion failure in svn move
* working copy performance improvements
* handle existing working copies which become externals
* fix recording of WC meta-data for foreign repos copies
* fix calculating repository path of replaced directories
* fix calculating repository path after commit of switched nodes
* svnrdump: don’t provide HEAD+1 as base revision for deletes
* don’t leave conflict markers on files that are moved
* avoid unnecessary subtree mergeinfo recording
* fix diff of a locally copied directory with props

**Server-side bugfixes:**
* fsfs: fix a problem verifying pre-1.4 repos used with 1.8
* svnadmin freeze: fix memory allocation error
* svnadmin load: tolerate invalid mergeinfo at r0
* svnadmin load: strip references to r1 from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4538
* svnsync: strip any r0 references from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4476
* fsfs: reduce memory consumption when operating on dag nodes
* reject invalid get-location-segments requests in mod_dav_svn and svnserve
* mod_dav_svn: reject invalid txnprop change requests

**Client-side and server-side bugfixes:**
* fix undefined behaviour in string buffer routines
* fix consistency issues with APR r/w locks on Windows
* fix occasional SEGV if threads load DSOs in parallel
* properly duplicate svn error objects
* fix use-after-free in config parser

——————————————————————————–
ChangeLog:

* Tue Jul 14 2015 Joe Orton <jorton@redhat.com> – 1.8.13-7
– move svnauthz to -tools; make svnauthz-validate a symlink
– move svnmucc man page to -tools
– restore dep on systemd (#1183873)
* Tue Jul 14 2015 Joe Orton <jorton@redhat.com> – 1.8.13-6
– rebuild with tests enabled
* Tue Jul 14 2015 Joe Orton <jorton@redhat.com> – 1.8.13-5
– rebuild with SWIG 3.0.6 (#1216264)
* Mon Jun 15 2015 Ville Skyttä <ville.skytta@iki.fi> – 1.8.13-4
– Own bash-completion dirs not owned by anything in dep chain
* Tue Apr 21 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.13-2
– Disable tests to fix swig test issues
* Wed Apr 8 2015 <vondruch@redhat.com> – 1.8.13-1
– Fix Ruby’s test suite.
* Tue Apr 7 2015 Joe Orton <jorton@redhat.com> – 1.8.13-1
– update to 1.8.13 (#1207835)
– attempt to patch around SWIG issues
* Tue Dec 16 2014 Joe Orton <jorton@redhat.com> – 1.8.11-1
– update to 1.8.11 (#1174521)
– require newer libserf (#1155670)
——————————————————————————–
References:

[ 1 ] Bug #1205138 – CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
https://bugzilla.redhat.com/show_bug.cgi?id=1205138
[ 2 ] Bug #1205134 – CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests
https://bugzilla.redhat.com/show_bug.cgi?id=1205134
[ 3 ] Bug #1205140 – CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions
https://bugzilla.redhat.com/show_bug.cgi?id=1205140
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update subversion’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce